Application Risk and Analysis Summary
Application Control
PT S
Fortinet provides robust application control reports detailing how applications are traversing your network and the risks they might pose. These are useful when trying to determine how to define/optimize firewall policies, utilize corporate resources or conduct internal trainings. For instance, the excessive use of Dropbox might indicate the need to setup and internal file repository. Similarly, an uptick in social networking activity may indicate the need for trainings or reminders of corporate policies.
Applications Detected by Risk Behavior
Modern security organizations need increasingly complex security processes in place to handle the myriad of applications in use on the network and in the data center. The problem is determining which applications in your environment are most likely to cause harm. The following charts provide a breakdown of the high risk applications identified on the network. It has been determined by FortiGuard Labs that these applications represent possible vectors for data compromise, network intrusion, or a reduction in network performance. Application Name
Category
Technology
Zeroaccess.Botnet
Botnet
Client-Server
Evasive
Skype
P2P
Peer-to-Peer
Evasive
WebEx
Collaboration
Evasive
Dropbox
Evasive
Google.Docs
Evasive
Google.Desktop
General.Interest
Evasive
Skype_Communication
P2P
Evasive
EBay.Toolbar
General.Interest
Evasive
Evernote
General.Interest
Evasive
RDP
Remote.Access
Bandwidth
Sessions
ER
Risk
24.07 KB
74
7.42 MB
22.11 K
Browser-Based|Client-Server
51.86 MB
21.80 K
File.Sharing
Browser-Based
10.30 GB
13.34 K
Collaboration
Browser-Based
1.43 MB
4.29 K
1.69 GB
2.18 K
Peer-to-Peer
725.86 KB
2.18 K
Browser-Based
365.95 KB
1.10 K
Browser-Based
222.32 KB
657
Client-Server
502.28 MB
636
C
Client-Server
EX
Botnet
Application Usage By Category
E
As part of the traffic classification process, the FortiGate identifies and categorizes applications crossing the network into different categories based on the number of sessions and bandwidth used. This data complements the granular application threat data and provides a more complete summary of the types of applications in use on the network. Application Category
File.Sharing General.Interest Web.Surfing Network.Service
M
P2P
PL
Media
Bandwidth 43.11 GB 10.79 GB 2.01 GB 1.25 GB 840.21 MB 510.11 MB
Remote.Access
502.66 MB
IM
167.36 MB 74.92 MB
SA
Social.Networking Update
18.25 MB
Risky Applications Breakdown
Application Usage By Category Media 72.7% (43 GB) File.Sharing 18.2% (11 GB) General.Interest 3.4% (2 GB) Excessive-Bandwidth 74.0% (212093) Evasive 26.0% (74399) Botnet 0.0% (74)
Web.Surfing 2.1% (1 GB) Network.Service 1.4% (840 MB) P2P 0.9% (510 MB) Remote.Access 0.8% (503 MB) IM 0.3% (167 MB) Social.Networking 0.1% (75 MB) Update 0.0% (18 MB)
ARA Summary - FortiAnalyzer Host Name: FAZVM64
Page 1 of 4
Application Risk and Analysis Summary
Malware and Other Threats
PT S
FortiGate users have visibility into the types of malicious activity being blocked on their networks and can cross reference with the award-winning FortiGuard botnet, virus and IPS research center. Determining which inbound attacks are being prevented and which users are frequent targets can be invaluable in mobilizing your network defenses. For instance, if a specific user is the consistently a malware victim, you can either provide individual guidance or block that user from specific activities.
Top Malware Crossing The Network
FortiGate monitors the network for viruses that are in transit. The FortiGate is able to apply different strategies in order to detect malware: signatures using Fortinet's Compact Pattern Recognition Language (aka CPRL) and heuristics which are applied to file structures and API calls. The FortiGate's antivirus engine provides two main capabilities: decompression which allows embedded files to be extracted and emulation which allows the hidden layers of malicious files to be extracted. Occurrences
ER
Virus Name W32/FakeAV.OY!tr W32/Simda.B!tr W32/Zbot.ANM!tr W32/Jorik.EF78!tr W32/Agent.RNI!tr
C
JS/Redirector.M!exploit
Top Virus Victims
EX
W32/Zbot.DHN!tr
15746 15613 15523 15521 15439 15256 15224
This visualization provides information about which network users are more prone to infection from viruses. It enables direct identification of the host(s) that are creating sources of malicious traffic on the network. The following chart displays the counter of the number of viruses per end user. Virus Victims
Occurrences 878
paltidore
875
E
shiggins
ryoung
lcorrales hrosenberg glucas iaustin
smetcalf wjones
SA
jgupta
M
iholden
PL
lbarker
875 875 875 874 873 873 873 872 870 868
hdonoso
867
ringram
866
hstiglitz
865
ARA Summary - FortiAnalyzer Host Name: FAZVM64
Page 2 of 4
Application Risk and Analysis Summary
Web Usage and Browsing Habits
PT S
The manner in which corporate users interact with specific websites and with certain web categories can be very revealing. FortiGates are able to determine which websites are being frequented, how long those sites are being browsed and the classifications of websites being accessed. Administrators are able to optimize their firewall policies to ensure that employees can get to the information they need while complying with corporate use policies.
Top Websites Visited By Network Users
Identifying and managing the top URLs visited by network users provides greater visibility and control, and subsequently, better network security. By leveraging Fortinet threat prevention, application control and URL filter technologies, the volume of web sites by category can be reviewed and strategies can be put in place to prevent users accessing sites considered to be a risk to overall network security. Domain
Category Streaming Media and Download
wikipedia.org
Reference
craigslist.org
Shopping and Auction Social Networking
skype.com
Instant Messaging
google.com
Web-based Email
pandora.com
C
facebook.com
Internet Radio and TV Information Technology
linkedin.com
Business
amazon.com
Shopping and Auction
Top Websites By Browsing Time
EX
webex.com
Visits
86111
ER
youtube.com
43777 32751 25366 24282 22176 21952 21803 19730 16004
The following chart shows the web sites that users visit for extended periods of time. The administrator can then decide to create security policies to mitigate or block website access, accordingly to their internal corporate use policies. Website
Browse Time (min)
E
en.wikipedia.org craigslist.org
Traffic Sent
Traffic Received 14.66 MB
87.65
10.99 MB
85.58
30.82 GB
85.46
94.03 MB
66.47
7.42 MB
66.46
7.42 MB
66.27
52.28 MB
65.12
51.86 MB
facebook.com
60.05
47.50 MB
linkedin.com
59.40
6.61 MB
youtube.com mail.google.com skype.com stream.pandora.com
M
webex.com
PL
youtube.com
Bandwidth 95.41
SA
Top Web Categories
User browsing habits can not only be indicative of inefficient use of corporate resources, but can also indicate an inefficient optimization of web filtering policies. It can also give some insight into the general web browsing habits of corporate users and assist in defining corporate compliance guidelines. This chart details web categories by the number of times URLs within those categories were requested and by the number of bandwidth used.
Streaming Media and Download 31.4% (94741) Reference 18.3% (55091) Shopping and Auction 17.7% (53534) Information Technology 11.9% (35825) File Sharing and Storage 10.7% (32218) Web-based Email 10.0% (30241)
ARA Summary - FortiAnalyzer Host Name: FAZVM64
Page 3 of 4
Application Risk and Analysis Summary
Bandwidth and Network Usage
PT S
While the use of technologies such as video streaming and peer to peer have positively impacted businesses, many administrators must ensure that a proper balance is being met. Some employees may significantly utilize more bandwidth than others thus affecting monthly bandwidth costs and reducing the network efficiency of others. This can easily be alleviated by keeping an eye on individual bandwidth usage and enacting traffic shaping or blocking certain applications when necessary.
Top Application Users By Bandwidth
This chart provides information about the users who are creating the most network traffic in terms of bandwidth usage. It helps the network administrator to identify users that are potentially abusing network usage or creating traffic that does not comply with internal security policies.
192.168.10.167
cosullivan
192.168.10.59
kfuller
192.168.10.215
lsilva
192.168.10.129
pwashburn
192.168.10.205
woneill
192.168.10.203
gmcclung
192.168.10.65
lbarker
192.168.10.2
hdonoso
192.168.10.28
pwashburn
192.168.10.139
bgore
192.168.10.214
awinters
192.168.10.235
rporter
192.168.10.64
kali
192.168.10.52
ckinnison
192.168.10.107
Traffic Out
Traffic In
219.86 MB
ER
kmcallister
Bandwidth
C
Source IP
203.91 MB 196.18 MB 194.77 MB 192.03 MB 190.98 MB 190.44 MB 189.83 MB 187.23 MB 185.99 MB
EX
User (or IP)
185.32 MB 185.29 MB 184.87 MB 184.57 MB 184.49 MB
E
Top Application Users By Sessions
PL
The section below illustrates the quantity of network users who are opening the highest number of connections. This is a critical value because some users could be opening multiple sessions without their knowledge (e.g. botnets). Statistics on the amount of sessions a user has opened and the bandwidth of those sessions is recorded by the FortiGate. User (or IP) kmcallister
Source IP
Sessions
192.168.10.167
1954
192.168.10.203
1935
192.168.10.58
1703
dsimpson
192.168.10.162
1697
bmatsubara
192.168.10.26
1691
cloomis
tbrown
M
woneill
1690
192.168.10.240
1687
cloomis
192.168.10.11
1683
pharris
192.168.10.244
1683
cullman
192.168.10.89
1682
lbarker
192.168.10.2
1682
jkirovski
192.168.10.247
1676
hdonoso
192.168.10.28
1674
chall
192.168.10.205
1671
iholden
192.168.10.202
1669
SA
192.168.10.156
emccrary
ARA Summary - FortiAnalyzer Host Name: FAZVM64
Page 4 of 4